Roon Bridge on Linux
Trying to get Roon Bridge to work with the built-in firewall on Ubuntu (ufw). Found a posting from 2015 saying that I need to forward UDP port 9003 and TCP/IP ports 9100-9200, but I’m struggling with the syntax, and this topic doesn’t seem to have made it into the Room documentation.
Would like to “allow” roonbridge as a service but it does not seem to have an entry in /etc/services although it is a running service. ufw default settings currently block Roon Bridge.
All you need is … just change the IP for your subnet.
9100:9200/tcp ALLOW 192.168.1.0/24
9003/udp ALLOW 192.168.1.0/24
1900/udp ALLOW 192.168.1.0/24
That is …
sudo ufw allow from 192.168.1.0/24 to any port 9100:9200 proto tcp
sudo ufw allow from 192.168.1.0/24 to any port 9003 proto udp
sudo ufw allow from 192.168.1.0/24 to any port 1900 proto udp
Hi @Alan_Birks,
While the above settings may work at the present time, you should be aware that the Roon ports may change in the future and a few ports are randomly generated.
While I can’t comment on the specific steps, we suggest setting an “application-level” firewall exception to any Roon programs.
Thanks. I did look into that, but the running Roon service is not listed in the services file – can it be added, or is there a way of allowing the Roonbridge “application” access?
Hi @Alan_Birks,
I am not too familiar with Ubuntu’s firewall and how it works, but a google search reveals that Gufw firewall allows application-level exceptions to be set, so you may want to use this instead:
True, but only a small number of applications seem to be covered (ones installed using apt?), so it looks to me that per-port rules are the only way to go. But I am an absolute novice as regards networking! 
What’s the IP address of your Roon core? For example, if it’s 192.168.0.11 change the above lines to include 192.168.0.0. Then cut ‘n’ paste those (amended) lines into a terminal. That’s all you need to do.
If you have a GUI you can add the rules using Gufw … this is a front end for UFW.
Hi @mjw. First off, thanks for the helpful posts. Not sure why the Roon ROCK IP address is significant (ref. your last post), but for the record it’s 192.168.1.151 and the router IP address is 192.168.1.1. ROCK and my Synology NAS have fixed IP addresses, but I never discovered how to give my two RPi endpoints a fixed address (so that I could shut them down tidily).
Significant in the sense that it identifies the subnet, i.e. the firewall rules only allow traffic in the range 192.168.1.1 through 192.168.1.254. The code in my first reply will work for you.
Hi @mjw,
Well, I’ve spent an hour or more trying all the variations that I could think of, and carefully rebooting everything between changes, but whatever I set I don’t see the Roon Bridge end-point running on the lubuntu PC. The only thing I’ve been able to do is give access to ALL ufw ports from the router (To Anywhere From 192.168.1.0/24) – but is that any different from not having a firewall at all, I wonder? Maybe it’s just lubuntu…
Can you describe your setup? If you’re using an RPi you’d be better off using a lightweight OS such as Ropieee for Roon.
How are you starting Roon bridge? Have you checked the status?
sudo systemctl status roonbridge
Currently running lubuntu 14.04 on an old NetBook, while my NUC is in for repair. Roon Bridge runs at startup and works fine. I do use ropieee and dietpi on my RPi end points.
Okay, so you are trying to run Roon Core not Roon Bridge on the netbook?
What’s spec is the netbook? It may not have sufficient performance to run Roon Core. What’s more, you really don’t want to be running a GUI and will get better performance using something like Ubuntu Server minimal install.
Sorry Martin, I wasn’t being clear. Roon ROCK is running on its own NUC. The lubuntu NetBook is just a PC for work and is only running an old version of lubuntu because it’s too puny to run Windows or Ubuntu.
So you want the netbook to run Roon core?
Nononono… I just want to run Roon Bridge so that I can play music while I work 
But I want to have a running firewall for routine security. The lubuntu PC is just another end point, but running on Linux, so only Roon Bridge is available.
You can’t run a Roon bridge without a Roon core. Or do you work at home, so this can access the core?
OK, I think I will have to close this topic now. I’ve tried every combination of rules I can think of, but Roon Bridge seems only to run when ufw isn’t. So…
I’ll try again when I have a standard ubuntu machine to play with.
Thanks.
How do you know it’s not running? Do you get an error?
I’ve run into this myself.
The issue is that roon-bridge seems to open up a random port in the ephemeral port range when connecting to roon-core. For example, right now it is failing for me because it’s listening on port 43025, so that is blocked by my firewall.
I’m not quite sure what the intended protocol is here though. But it would be better if roon-bridge used a predictable listen port if possible.
The weird thing is this works sometimes for me even with the firewall enabled. But I haven’t looked into that too much.